Case 1:21-cr-00582-CRC Document 66-1 Filed 04/08/22 Page 1 of 9 


EXHIBIT A 
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U.S. Department of Justice 


Special Counsel 





March 30, 2022 


Sean Berkowitz, Esq. 
Michael Bosworth, Esq. 
Latham & Watkins LLP 


Dear Counsel: 


Pursuant to Federal Rule of Criminal Procedure 16(a)(1)(G), the government provides 
notice of its intention to call an expert witness at the upcoming trial of defendant Michael 
Sussmann to testify regarding Domain Name System (“DNS”) data and other matters relevant 
to cyber investigations. As detailed below, the government hereby discloses that it intends to 
call FBI Unit Chief/Special Agent David Martin, who is currently assigned the FBI’s Cyber 
Division, Technical Analysis Unit. 


The government also provides attached hereto a copy of UC Martin’s curriculum vitae. 





ie Domain Name System Data and Analysis 


As set forth in the Indictment, the data underlying the allegations that the defendant 
provided to the FBI and Agency-2 was purported DNS data. The primary purpose of UC 
Martin’s testimony will be to describe for the jury the basic mechanics, architecture, and 
terminology of the DNS system and DNS data so that they can understand various technical 
concepts that appear in documents and other evidence that the Government will offer at trial. 
UC Martin’s testimony will explain, for example, that DNS is a naming system for devices 
connected to the Internet that translates recognizable domain names, e.g., 
http://www.google.com, to numerical IP addresses, e.g., 123.456.7.89. He will further explain 
that a DNS “lookup” refers to an electronic request by a particular computer or device from 
another device or server. UC Martin will also describe how DNS lookups are initiated and 
processed, and how various DNS data and records are maintained on electronic servers and 
systems associated with DNS. 





As part of his testimony, UC Martin will describe how certain private companies and 
entities maintain DNS “resolvers” and, in some cases, offer “DNS resolution services” to their 
customers. In explaining these concepts, he will also explain how DNS data is typically 
processed and stored by these and other entities. He will further describe how certain private 
parties can and do gain access to DNS data, and how certain companies collect and 
commercialize DNS data, including what is referred to as “passive DNS data.” 
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UC Martin will also provide the jury with specific examples of DNS data in order to 
describe the interpretation and meaning of such data, including particular fields that appear 
within the data. He will further testify concerning the nature and types of conclusions that can 
— and cannot — be drawn about persons’ or entities’ online activities based on a review of DNS 
data. He will also testify about the analytic significance and conclusions that can be drawn 
based on the provenance and origins (e.g., collection source) of DNS data. 


II. TOR 


As part of his testimony, UC Martin will also explain the Onion Router (“TOR”), which 
is a free and open-source software for enabling anonymous communications. He will describe 
common terms used in connection with TOR, including the concept of a “TOR exit node.” 
(As you are aware, a white paper that the defendant submitted to FBI General Counsel Baker 
contained assertions about the purported use of a TOR exit node by the Trump Organization 
and Alfa Bank.) UC Martin will explain common uses of TOR, as well as investigative steps 
and methods for analyzing online activities involving TOR. 


Il. Additional Testimony 


You have indicated in recent discussions that you may seek to limit the testimony and 
evidence at trial concerning the purported DNS data solely to that which reflects the 
defendant’s state of mind and subjective understanding of the purported DNS data at issue in 
this case. We therefore understand that you are not currently inclined to offer evidence, or 
engage in questioning, that would imply, assert, or seek to prove the authenticity of the relevant 
DNS data or the actual truth of the allegations at issue concerning a secret channel of 
communications between the Trump Organization and Alfa Bank. If the defense, however, 
does cross examine Government witnesses or calls its own witnesses to testify in a manner that 
seeks to establish or encourage particular conclusions in this regard, then the Government 
reserves the right to have UC Martin testify concerning: 


e the authenticity vel non of the purported data supporting the allegations provided 
to the FBI and Agency-2; 


e the possibility that such purported data was fabricated, altered, manipulated, 
spoofed, or intentionally generated for the purpose of creating the false 
appearance of communications; 


e whether the DNS data that the defendant provided to the FBI and Agency-2 
supports the conclusion that a secret communications channel existed between 
and/or among the Trump Organization, Alfa Bank, and/or Spectrum Health; 


e whether DNS data provided to Agency-2 supports the conclusion that Donald 
Trump and/or his associates used one or more Russian-made phones in the 
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vicinity of Trump Tower, Trump’s Central Park West Apartment Building, 
Spectrum Health, and the White House; and 


e the validity and plausibility of the other assertions and conclusions set forth in 
the various white papers that the defendant provided to the FBI and Agency-2; 


* * * 


The government reserves the right to call additional expert witnesses and/or substitute 
expert witnesses. The government will comply with its obligations under Federal Rule of 
Criminal Procedure 16(a)(1)(G) and Federal Rules of Evidence 702, 703, and 705. The 
government will notify you in a timely fashion of any additional or substitute experts that the 
government intends to call at trial and provide you with a summary of the experts’ opinions. 
The Government will supplement this notice as appropriate and as more information becomes 
available. 


Finally, the government renews its request for reciprocal discovery, including any and 
all expert disclosures. 


Very truly yours, 


JOHN H. DURHAM 
Special Counsel 


By: /s/ 
Jonathan E. Algor 
Andrew J. DeFilippis 
Michael Keilty 
Brittain Shaw 
Assistant Special Counsels 
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CURRICULUM VITAE 


David M. Martin, GSE 
Unit Chief 

Federal Bureau of Investigation 
Cyber Technical Analysis Unit 
PHONE: 703-633-6932 
dmmartin@fbi.gov 





PROFESSIONAL EXPERIENCE 


Feb 2022 — Present Unit Chief 
FBI Cyber Division 
Cyber Technical Analysis Unit 
Chantilly, VA 


Lead a team of over 50 FBI employees and contractors responsible for the FBI 
Cyber Division’s Advanced Digital Forensics, Malware Automation, Data and 
Network Analysis, and New and Emerging Technology programs. Responsible 
for establishing unified ingest and processing system for all FBI Cyber technical 
data, establishing best practices and performing technical review of all reporting 
produced by CTAU. 


Nov 2021 —Feb 2022 Supervisory Special Agent / Acting Unit Chief 
FBI Cyber Division 
Cyber Technical Analysis Unit 
Chantilly, VA 


Program manager for the Advanced Digital Forensics program, which provides 
digital forensics and malware reverse-engineering services for the most complex 
computer intrusion cases across all FBI field offices and conducts technical 
review of Cyber intelligence products. Managed personnel, prioritized cases, 
and reviewed reports for accuracy, completeness, and investigative value. 


Oct 2017 — Nov 2021 Supervisory Special Agent 
Cyber Action Team Director 
FBI Cyber Division 
Cyber Technical Operations Unit 
Chantilly, VA 


Established the vision and direction for CAT while directing all operations and 
deployments. Managed the selection, training and readiness of CAT personnel 
and the procurement, development and maintenance of a wide range of 
specialized equipment and software needed to accomplish the team's mission. 
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Sep 2015 — Sept 2017 


July 2009 — Sep 2015 


Dec 2002 — July 2009 


April 2001 — July 2002 


EDUCATION 


Oct 2014 — July 2017 


Supervisory Special Agent 
FBI Cyber Division 

Technical Operations Unit 
Chantilly, VA 


Managed the development and implementation multiple technical operations 
using a variety of techniques and technical platforms to target criminal and 
nation-state cyber threat actors. Served as a Team Lead on CAT and led 
multiple domestic and foreign deployments 


Special Agent 

Detroit Cyber Task Force 
FBI Detroit Field Office 
Detroit, MI 


Conducted investigations into matters criminal and national security computer 
intrusions, intellectual property rights, online child involving computer intrusions 
that affect the security of the United States or are conducted in violation of 
Federal Statutes. Prepared cases for presentation to the United States 
Attorney’s Office for prosecution. Testified before Federal Grand Juries and in 
Federal District Court. Conducted forensic examinations on computer evidence; 
analyzed network traffic, log files and unknown binary files for evidence of 
computer intrusion activity. 


Senior Police Officer / Acting Sergeant 
Littleton Police Department 
Littleton, CO 


Responsible for responding to emergencies, investigating criminal and 
suspicious activity, making arrests and issuing citations as a Patrol officer and 
the primary relief supervisor for a patrol shift. | held ancillary duties as a SWAT 
Operator, Crisis Intervention Team member, Field Training Instructor, Firearms 
Instructor, Defensive Tactics Instructor and Computer Automation Instructor. 


Computer Crime Specialist 
Colorado Bureau of Investigation 
Lakewood, CO 


Assisted in computer crime investigations, including child sexual exploitation, 
internet fraud, and other felonies involving the use of a computer. Conducted 
forensic examinations of computer evidence. Developed and maintained 
software applications, hardware and computer networks for the Investigations 
Division. 


SANS Technology Institute 
Baltimore, MD 
Master of Science in Information Security Engineering 
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Sept 1998 — June 2002 University of Denver 
Denver, CO 
Bachelor of Science in Computer Science and Psychology 
Minors in Math and Business Administration 


PROFESSIONAL TRAINING 


Aug 2021 Hacking and Securing Cloud Infrastructure 
Black Hat, Online (32 Hours) 


Aug 2019 Splunk Administration 
Splunk, Reston VA (40 Hours) 


Aug 2017 IDA Pro Basic and Advanced 
Black Hat, Las Vegas NV (32 Hours) 


Oct 2016 SEC 566 — Implementing and Auditing the Critical Security Controls 
SANS Institute, Online (36 hours) 


June 2016 MGT 525 - IT Project Management 
SANS Institute, Washington, DC (36 hours) 


Aug 2014 SEC 504 - Hacker Techniques, Exploits and Incident Handling 
SANS Institute, Boston, MA (48 hours) 


July 2014 FOR 610 - Reverse Engineering Malware: Malware Analysis Tools and Techniques 
SANS Institute, Online (48 Hours) 


Feb 2014 FOR 508 - Advanced Computer Forensic Analysis and Incident Response 
SANS Institute, Online (48 Hours) 


Aug 2013 FOR 408 - Computer Forensic Investigations: Windows In-Depth 
SANS Institute, Online (48 Hours) 


Aug 2012 Forensic Toolkit Bootcamp 
Access Data, Baltimore, MD (24 Hours) 


May 2012 Digital Extraction Technician (DExT) / CART Technician 
FBI Computer Analysis and Response Team (CART), Quantico, VA (72 Hours) 


Dec 2011 SEC 503 - Intrusion Detection In-Depth 
SANS Institute, Washington, DC (48 Hours) 


July 2011 CYD 3450 — Intrusion Response 
Mandiant, St. Louis, MO (32 Hours) 


May 2011 CYD 3350 — Network Traffic Analysis 
Mandiant, Richmond, VA (24 Hours) 


April 2011 CYD 3310 — Advanced Network Investigation Techniques — UNIX 
Mandiant, Denver, CO (24 Hours) 
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March 2011 SEC 401 — Security Essentials Bootcamp Style 
SANS Institute, Phoenix, AZ (48 Hours) 


Feb 2011 CYD 1125 — Cyber Stage 2 Training/Windows Intrusion Response 
Mandiant/FBI Academy, Quantico, VA (80 Hours) 


Sep 2010 Basic Online Undercover Course 
FBI Innocent Images, Calverton, MD (40 Hours) 


Sep 2010 CYD 2300 — Wireless Technology 
Mandiant, Calverton, MD (16 Hours) 


July 2010 CYD 2200 — Network+ Certification 
FBI Cyber Division, Calverton, MD (40 Hours) 


March 2010 CYD 1200 — A+ Certification 
FBI Cyber Division, Calverton, MD (80 Hours) 


Jul-Nov 2009 New Agents Training 
FBI Academy, Quantico, VA (776 Hours) 


2008 Law Enforcement Supervisory Institute 
Colorado Peace Officer Standards and Training, Centennial, CO (40 Hours) 


2006 Field Training Instructor Certification 
Kaminsky and Associates, Littleton, CO (40 Hours) 


2006 Internet Investigations and Windows Forensics 
Microsoft/Colorado Attorney General’s Office (32 Hours) 


2005 Interview and Interrogation 
John E. Reid and Associates, Aurora, CO (40 Hours) 


2002 Computer Crime and Digital Evidence Techniques 
Colorado Association of Computer Crime Investigators, Golden, CO (16 Hours) 


CERTIFICATIONS & AWARDS 


July 2019 Countering Technical and Cyber Threats Award - National Counterintelligence and 
Security Center 


Oct 2018 US Attorney’s Award — United States Attorney’s Office, Eastern District of Michigan 

Oct 2017 Attorney General’s Award for Excellence in Information Technology — US Department of 
Justice 

May 2017 GIAC Security Expert (GSE) - Global Information Assurance Certification 

Nov 2016 GIAC Critical Controls Certification (GCCC) - Global Information Assurance Certification 


Aug 2016 GIAC Certified Project Manager (GCPM) - Global Information Assurance Certification 


Case 1:21-cr-00582-CRC Document 66-1 Filed 04/08/22 Page 9 of 9 


David M. Martin 


Page 50f 5 


Sept 2014 


July 2014 


May 2014 


Feb 2104 


Aug 2013 
May 2012 


April 2012 


April 2011 


July 2010 
March 2010 
June 2004 


July 2002 


GIAC Certified Incident Handler (GCIH) - Global Information Assurance Certification 


GIAC Reverse Engineering Malware (GREM) — Global Information Assurance 
Certification 


US Attorney’s Award — United States Attorney’s Office, Eastern District of Michigan 


GIAC Certified Forensic Analyst - GOLD (GCFA) - Global Information Assurance 
Certification 


GIAC Certified Forensic Examiner (GCFE) - Global Information Assurance Certification 
DExT / CART Tech Certification — FBI 


GIAC Certified Intrusion Analyst - GOLD (GCIA) - Global Information Assurance 
Certification 


GIAC Security Essentials Certification - GOLD (GSEC) - Global Information Assurance 
Certification 


Network+ Certification - CompTIA 
A+ Certification — CompTIA 
Medal of Valor — Littleton Police Department 


Director's Award — Colorado Bureau of Investigation 


PUBLICATIONS & PRESENTATIONS 


Oct 2019 


Feb 2017 


Dec 2016 


June 2016 


April 2016 


March 2016 


Speaker: “Already Pwn3d: Deep Dive into Incident Response and Forensics Data,” 
Splunk .conf 2019, Las Vegas NV 


Peer-reviewed research paper: “OS X as a Forensic Platform,” SANS Institute 


Speaker: “GhOst in the Dshell: Decoding Undocumented Protocols,” SANS Cyber 
Defense Institute 2016, Washington DC. 


Peer-reviewed research paper: “GhOst in the Dshell: Decoding Undocumented 
Protocols,” SANS Institute 


Speaker: “Tracing the Lineage of DarkSeoul,” SANS Northern Virginia 2016, Reston VA 


Peer-reviewed research paper: “Tracing the Lineage of DarkSeoul.” SANS Institute 


